A critical unauthenticated arbitrary file upload vulnerability (CVE-2026-3844, CVSS 9.8) in the Breeze Cache WordPress plugin is being actively exploited. The flaw exists in the 'fetch_gravatar_from_remote' function due to missing file-type validation, enabling remote code execution and full site takeover. Exploitation requires the 'Host Files Locally - Gravatars' feature to be enabled. The plugin has over 400,000 active installations. Cloudways patched the issue in version 2.4.5. Site admins are urged to update immediately or disable the vulnerable feature.
Table of contents
Related Articles:Sort: